Microsoft backs new anti-phishing standard

Microsoft has thrown its weight behind OpenID, an emerging Web authentication standard designed to reduce the risk of phishing attacks.

By
Robert McMillan, IDG News Service
| Feb 07, 2007

| IDG News Service

Share

TwitterFacebookLinkedInGoogle Plus

Microsoft has thrown its weight behind OpenID, an emerging Web authentication standard designed to reduce the risk of phishing attacks.

The announcement was made Tuesday at the RSA Conference in San Francisco during a joint keynote by Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie that was long on vision and short on specifics.

Microsoft pledged to work to integrate OpenID with its CardSpace identity management software, which is now available in conjunction with Windows Vista. "The marriage of CardSpace and OpenID 2.0 is actually a giant step forward," Mundie said.

By integrating these two technologies, Microsoft expects to "eliminate the issue of the man-in-the-middle-attack," Mundie said. In these attacks, which are increasingly being used by phishers, a thief steals sensitive information by setting up a fake Web site that passes information back and forth between the victim and the legitimate Web site.

OpenID is an emerging open-source standard that simplifies the task of logging on to many different Web sites.

Gates and Mundie spent much of their keynote discussing how their company plans to simplify security and make the process of managing digital identities easier.

IT professionals could achieve both ends by getting rid of log-in passwords and replacing them with strong, certificate-based authentication techniques like smart cards, Gates said. "Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is," he said.

"We see smart cards ... [and] certificates in general as the way these things should go. You'll be presenting certificates as opposed to weak passwords," he said.

Microsoft hopes to drive the adoption of smart cards, with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. Expected to ship on May 1, this software integrates technology from Microsoft's 2005 acquisition of Alacris with the company's Identity Integration Server. The software will make it easier for users to integrate strong authentication technologies like smart cards into Microsoft networks.

Mundie suggested that in order for security to work, technology companies will need to turn their thinking upside down, to a certain extent. "Security was really a blocking thing," Mundie said. "How do you invert this ... so these security mechanisms become a thing that makes it simpler for anyone to be granted permission to get [network] access."

Microsoft plans to achieve this by switching the focus using technologies like IPsec and IPv6, Mundie said. The company has already been using these technologies for the past two and a half years in an internal access control system that is better about granting employees and contractors access to the data and applications that they need, but keeping them away from the rest of the network, he said.

With breaches being reported every week - often after the loss of a laptop computer - companies need to think beyond locking down the perimeter of their networks, Mundie added. "The threat model is changing in fundamental ways. We could continue to invest in this fortress mentality of protecting everything, but I don't think that would be sufficient," he said. "Our castle is fairly porous because a lot of our assets leave the castle."

Microsoft's broad vision did not impress one attendee.

"This was the most content-free presentation I've seen at RSA in years," said Bruce Schneier, chief technology officer with BT Group PLC's Counterpane unit. "My guess is that most people in the room could have given that talk because it's where we all want to go."

The keynote, in which Gates and his successor sat side-by-side and, at times, finished each others thoughts, appeared to be a symbolic handing over of power, Schneier said.

Gates will be stepping down from his day-to-day duties in July 2008, at which point Mundie will take over Microsoft's research efforts.

But Schneier doesn't expect Gates to appear at next year's conference. "The take-away